Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1...
Transcript of Exploring Emotet, an elaborate everyday enigma · 2019-10-08 · History of Emotet May, 2014 V1...
Luca Nagy
Threat Researcher, SophosLabs
Oct 2019
Exploring Emotet, an elaborate everyday enigma
History of Emotet
May, 2014
V1First sample seen by Sophos
Nov, 2014
V2 - modular structure
Targeting German and Austrian banks
Jan, 2015
V3• anti-VM techniques • social engineering tricks
Targeting Swiss banks No significant campaign
Delivering by Rig EK
Dec, 2016
Apr, 2017
V4 - targeting UK• no banking module• network spreading capabilities• delivery service for other malware
Arriving to USA
Auto-updating the binary
Dropping Dridex, IcedID
Dropping ZeusPanda, Trickbot, Qbot
Email harvesting module
Oct, 2018
May, 2017 May, 2019
Email conversation chains in spam messages
2@luca_nagy_
After long break, it reappeared
Aug, 2019
Unique binaries and downloaders on daily basis
70
1763
New binaries
New downloaders
(2019)
(2019)
3@luca_nagy_
Delivery method - Spam messages
4@luca_nagy_
Anti-analysis techniques: Anti-VM techniques, process injection
5@luca_nagy_
Anti-VM techniques
• Checking process list locally, using fake IP list
• Detecting VM, AV related files, folders
• Detecting sandbox environment
• Sending process list
Process injection
• Wrapper modules
• Heaven’s Gate
Anti-analysis techniques: Injecting into 64 bit process - Heaven’s Gate
32 bit disassembler 64 bit disassembler
6@luca_nagy_
Anti-analysis techniques: Custom packer
7@luca_nagy_
Main functions of the binary
8@luca_nagy_
C2 server communication
9@luca_nagy_
IP address count used to reach the C2
10@luca_nagy_
Observed in the first 4 months of 2019
Downloaded Modules: Wrapper modules
11@luca_nagy_
Inject into:
• /System32/alg.exe
• New instance of itself
Wrapper modules - Injected NirSoft executables
WebBrowserPassView
Mail PassView
12@luca_nagy_
Wrapper modules - Injected proprietary executables
Email contact extractor
Email content harvester
13@luca_nagy_
Regular modules: Network spreading module
• Enumerating SMB, null session connection
• Brute-forcing the connections (~10 000 passwords)
14@luca_nagy_
Regular modules: UPNP module
• Port-forwarding
Port numbers set by the module:
20, 21, 22, 53, 80, 143, 443, 465, 990, 993, 995, 7080, 8080, 8090, 8443, 50000
(Same as the port numbers used to reach the C2 – hardcoded in the binary)
• Bypassing firewall rules
• Verifying the settings
15@luca_nagy_
Regular modules: Spam bot module
• SMTP message sent by the spam bot module
16@luca_nagy_
sender = victim Areceiver = target A
hijacked account = victim B
template
Delivered malware
17@luca_nagy_
• Directly: Banking Trojans (e.g.: Trickbot, Qbot, Dridex, Ursnif, IcedID,…)
• Secondly: Ransomware (e.g.: Ryuk, BitPaymer, MegaCortex)
• Attack-chains:
• Emotet – TrickBot – Ryuk
• Emotet – Dridex – BitPaymer
• Emotet – Qbot – MegaCortex
Sum up
• Information, credentials from browser
18@luca_nagy_
Sum up
• Information, credentials from browser
• Spreading through LAN
19@luca_nagy_
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
From: victim A’s name <victim B’s account>To: target A
target A = victim A’s acquaintance
20@luca_nagy_
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
• Email account settings
From: victim B’s name <victim A’s account>To: target B
target B = victim B’s acquaintance
21@luca_nagy_
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
• Email account settings
• Email conversation threads
From: victim A’s name <victim’s B account>Sub: RE:To: target A
target A = victim A’s acquaintance
22@luca_nagy_
Body: victim A’s email domain/…/...zip
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
• Email account settings
• Email conversation threads
• Spamming
23@luca_nagy_
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
• Email account settings
• Email conversation threads
• Spamming
• Proxy
24@luca_nagy_
Sum up
• Information, credentials from browser
• Spreading through LAN
• Email address books
• Email account settings
• Email conversation threads
• Spamming
• Proxy
• Deliver malware
25@luca_nagy_
?
26@luca_nagy_
Thank you!
Also thanks for:Gábor SzappanosFerenc László NagyDorka PalotaySophosLabs
@luca_nagy_